Database App Agent: RPM signing using GPG public key

GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG (also known as GPG), allows you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories. GPG is an identification key system and can be used to "sign" files or e-mails so you can check the authenticity of them once the same file is received and used somewhere.

Signing data with a GPG key enables the recipient of the data to verify that no modifications occurred after the data was signed (assuming the recipient has a copy of the sender s public GPG key).

RPM package files (.rpm) and yum repository metadata can be signed with GPG.

Linux RPM uses GPG to sign packages. GPG does not rely on a network of Certificate Authorities (CA), but on individual signatures and peer trust. PSO provides a GPG valid for one year to sign our RPM files, and we include the public key with every build. To verify the signature of an RPM, you need to first import the Dell EMC Database App Agent public key into the gpg keyring and then verify the rpm.  

Database App Agent Linux RPM packages can be signed using a public GPG key that is listed in this KB article.

Power Protect and Database App Agent support for GPG keys:    
Database App Agent added a support for GPG key signing from Database App Agent 4.x onwards. GPG key has an expiration period of 1 year. If the RPMs have signed with a key that has expired, then validation of signature requires the key that was used during signing. For example, if the GPG key named key-1 is used to sign the RPMs in 2017, then the same key cannot be used to sign RPMs in 2018 if it has expired, however it can be used to validate the signature for the RPMs that has been signed.

The list of GPG keys is mentioned in the last section of this document.

Procedure to Validate GPG signature:     

1. Check whether RPM has a valid GPG signature using  checksig  or equivalent for respective Linux OS. For example, on RHEL or SuSE, run the below command to validate the signature. The Dell EMC Database App Agent GPG key is 1024 bit.

2. Copy the GPG public key that is highlighted in the last section of this document to a file and import it using the command below.
3. Import the key using  rpm  import <key_file> . This imports the GPG public key into the local client system for Dell EMC Database App Agent. The RPM database will have a key against Dell EMC Database App Agent.
4. The Database App Agent RPM package now shows as GPG signed.

5. Using the same key file, verify the signature of Power Protect Agent Service RPM.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1

mQENBF2DHtMBCADG3Ea2oBmPB7P4Ix93l62asenFfeX5VjgJSgD9Zm4DVFtN248J
Xbt7Hk49sMeQJBBaU5V6YZI5Qk1dMrZyftU231/RWTAh9zHpZA+/wOF8B/u3309P
Fhni2TnUtOmn6jn6rAHxxRfXV071efVoje6cNCcJp0o2w06gc2oD3tPpFU4ft0J/
rKw430DtvEqCkiMO5Wpw3Q+PQlqJJr7tKSDpy0WuRzxvE2UV5o4SEQYSfkSwbxIF
qb4iz1VoCU/7VfEkpc+CNn5i99EdL7gKoXJVCQMI+HRVs/mqXgn5s/PaW9ij/Oaa
l/OPsnvlcqBwT1vTNcJ7NIGJ33JJe3Uu5DB5ABEBAAG0H0VNQyBOZXRXb3JrZXIg
PHN1cHBvcnRAZW1jLmNvbT6JAT4EEwECACgFAl2DHtMCGwMFCQPCZwAGCwkIBwMC
BhUIAgkKCwQWAgMBAh4BAheAAAoJEH7SFIvF3+A9C2kIALiCTdWpJhWMIBFwnyPc
GS244z4QCEu+wQK4pMC06a3TXD0AKCk6i8ado7LolKQA3rWqRm7+M0NCxUQA0396
pLLxLoT/miHMXSjDrpDpel1L5tcMCabF75WXs39d08O7djhbyt2kCt1ApcE09krb
sgiknCr7hoEbA6G09taC5ttdlYW5Fd0lZV61FA+9NQCMjZJ2rbhYbhN797J55hGV
Vy0fRX/yENtVBcisUPvezGrDqFgVe2zG07IZ4kGOuPTaGUFOjw7DzPbTLO1d7VAF
3UCaAmjKOI5Q9aB/gnBlZvXIwXfwQeL9IqhT3qvZUdT2gkIpg+kQifqeiAg/1GaS
39g=
=m8P2
-----END PGP PUBLIC KEY BLOCK-----